Target IP: 10.10.86.131
Hack into the scammer's under-development website to foil their plans.
There are four TCP ports open on the target machine: SSH, HTTP, and SMB.
Ports 139 and 445: SMB
Since the SMB is open and allows guest login, I started my enumeration here. There is a share called websvr that contains the file enter.txt.
The enter.txt file contains the content above. However, the password is encrypted. There is a hint to use magic which can be found at Cyberchef. The credential belongs to the Subrion CMS.
Using the magic operation against the ciphertext in Cyberchef, I obtained the password Scam2021. Now I have the credential admin:Scam2021 for the Subrion CMS application.
Doing a directory search shows the interesting entries above.
The /test contains the webpage above. It looks like a fake scareware pop-up made by the scammers to target people.
The /wordpress directory shows the webpage above. After enumerating for some time, I did not find anything useful.
From previous enumeration, I found the credential for Subrion CMS. So I wanted to see if this application exists. Using the command gobuster dir -u http://10.10.86.131/subrion/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -s 200 -b "", I got a hit! The entires above are displayed for this CMS application. The panel.php sounds like an admin panel.
Now I have access to the login page of the CMS by browsing to the /panel page.
And using the credential admin:Scam2021, I gained access to the CMS application. The target is running the version 4.2.1. This application is vulnerable to RCE from file upload.
Using searchsploit, I made a copy of the exploit on my local machine.
I ran the exploit against the target machine. This gave me a simple web-shell. However, I upgraded this to a reverse shell connection using a Python reverse shell script. Now I have a foothold on the target machine.
The wp-config.php contains the credential support:ImAScammerLOL!123!.
And using this new password ImAScammerLOL!123! against the user scamsite worked. Now I have elevated my privileges from www-data to scamsite user.
Looks like this user can execute the binary /usr/bin/iconv. I can use this binary to read the files such as shadow.
I managed to obtain the shadow file which contains the password hash of the user root, but I am unable to decrypt it. This binary can be used to write contents too, so it is possible to overwrite the authorized_keys with my own SSH key. But gaining the one flag was the mission.
The root.txt flag.